As the Internet has grown, the benefits associated with the Internet have also increased greatly. People can stream continuous audio and video (e.g., listen to Internet radio stations, watch news videos, etc.), play on-line games, download movies and music, share pictures with friends and family, and collaborate with co-workers all over the world.
The Internet has grown tremendously since its inception, and the traffic communicated over the Internet is enormous. Part of this traffic is spam, or unsolicited junk email. Spam is often used to advertise a particular product or service. With the number of emails communicated over the Internet increasing at an enormous rate, spam too has increased rapidly.
Another form of unwanted email is messages that contain viruses or worms. Typically, these emails are associated with an attachment or an executable file. When the attachment is opened or when the executable is downloaded, the machine often becomes infected with a virus or worm.
Customers (also referred to below as users), in turn, may complain to their Internet Service Provider (ISP) about the amount of spam that they receive. Because spam is such an annoyance to customers, and also because spam makes it more difficult to recognize emails that the customer wants to receive, ISPs typically want to limit the amount of spam that their customers receive.
One technique available to limit spam is spam filtering software. Filters can focus on particular keywords in the subject line of an email to attempt to identify and delete spam. These filters, however, can be sidestepped by spelling those particular keywords differently (e.g., with dashes separating the letters). Additionally, filters may block email having the particular keyword in its subject while the email is an email that a customer wants to receive. More advanced filters, known as heuristic filters, attempt to statistically identify spam based on word patterns or word frequency. A spammer, or a person who sends spam, can still circumvent these advanced filters, such as by using short messages.
A spammer may have an array of servers transmitting spam, with each server having its own Internet Protocol (IP) address. Once spam is detected as being transmitted from a particular IP address, that IP address is put onto a blacklist. ISPs that host email accounts often look at the sending IP address of every email and filter out those emails that have an IP address that matches an IP address on the blacklist.
One technique that spammers use to avoid having their IP address put on the blacklist is by using “zombie” computers for spam. A zombie computer is a computer that is under the control of another computer (e.g., the controller). Specifically, a spammer typically uses a controller computer to write a program called a daemon. A daemon is a program that is implanted on a zombie computer and puts the zombie computer under the control of the spammer without the knowledge of the user of the zombie computer. The daemon executes in the background unknowing to the user of the zombie computer, thereby “stealing” the zombie computer's resources. The controller transmits this daemon to one or more zombie computers via an attachment or over a network. When the daemon arrives at the zombie computer, the daemon executes in the background without the user of the zombie computer noticing any change.
To convert a computer to a zombie computer, the spammer performs several steps. One step is to infect the zombie computer. A method spammers use to infect the zombie computer is to send an email message to the user that contains the daemon, with some enticement to get the user to open the attached daemon. The message may also attempt to exploit flaws in common email programs that would allow the daemon to be installed directly. Another method is to use a “port scanner” of the user's machine to look for flaws.
Specifically, computers connected to the Internet have thousands of ports that work like doors for network services. For example, mail typically travels through ports 25, 110, 143, and 587, and website data typically travels through port 80. Only a few of these “doors” are open at a time, depending on what kind of data a computer accepts or sends. The spammer, trying to convert a computer to a zombie, executes a port scanner that sends messages to all possible ports of the computer to see which ones are open and accept information, and what kind of computer it is.
Many programs that accept data have flaws. The spammer uses a toolkit of different programs to identify these flaws on available ports. If a flaw is available, the spammer can inject the daemon into the computer. When the spammer logs off of a computer, the daemon uses its own toolkit to find a flaw in yet another computer. If the daemon finds a flaw, the daemon can then install another daemon on another computer. The daemons can then use the zombie computers to transmit spam email, or unsolicited junk email, to one or more recipients. The daemon can, for example, send spam to email addresses stored on the zombie computer, or receive a list of addresses from the spammer indicating where to send the spam.
The daemons therefore enable spammers to route spam emails through the zombie computers. Since the IP addresses of these machines are new, the IP addresses do not appear in the IP address blacklists and millions of spam emails can be routed through the zombie computers before they get blacklisted.
Another mechanism ISPs use to determine a spam attack is based on the rate of message transmission from a single host. If an unknown host is sending vast quantities of messages to the ISP, that host is treated as a potential spammer, and subsequently limited in the message rates permitted from that host. By using zombies, instead of sending thousands of messages from a small number of hosts to the ISP, a small number of messages would be sent from thousands of zombies. Each zombie will fall under the radar for the rate limiting of the ISP, and would not be detected. This is often referred to as a trickle attack.
Detecting spam sent from zombie computers is therefore often a difficult task. To reduce the amount of spam received by ISP's customers, there remains a need for ISPs to detect spam generated by zombie computers.